Tag: And

Hello, I'm Steve Kwan[sp]. And I'm here with Adim Nahid[sp] And we're excited to do another year of a great partnership between VMware and Trend Micro. Over the last [xx] years our customer have been moving quickly to adopt cloud. And security is top of mind for them and I think the relationship has really …

It’s really the effect of thosedefects, and who can exploit them and in what way that makes them a quality or securityproblem.

Now, I think developers tend to be less well trained on security as a group.

Quality problems, they tend to be able to recognize better and be able to fix better.

But ultimately these are code level problems and as such, I don’t think there’s reallya clear line between the two.

If you look at many programs, and many programming languages,the exact same bug could be both quality problem and security problem.

And I that that blurringis not necessarily a bad thing, it’s a good thing, because it makes developers realizethat they need to look at the quality and the security of the software together, inorder to get it right.

So as you heard Aart talk about in his keynote,about a month ago we signed an agreement to acquire Coverity that enters for us the SoftwareQuality and Analysis measurement market.

You can see this is a large market.

It’s about500 million dollars today according to IDC and growing pretty rapidly, about 20 percentper year.

The good news is that with this announcement, we enter this market as theleader.

So why is this market growing so rapidly.

Well I think it’s obvious to everyone that the role of software in the world is justdramatically exploding.

We see in our traditional customer base, and among the companies thatare here at SNUG, many many companies are hiring more software engineers than hardwareengineers today.

And then you look outside of the companies that are attending SNUG today,and many many industries are basically based on software.

Their main differentiation ison software.

They are essentially software companies, whether they are energy companiesor retail companies or telecommunications companies or oil and gas companies.

It’sall built on a software infrastructure.

And if you think about software, it has reallychanged, how we’ve developed software, very much over the last 20 years.

Software is stilldeveloped more or less like cars were developed a hundred years ago.

We write the software.

We get in it, we drive it along and we wait for a wheel to fall off.

And when that happens,we figure out why the wheel fell off, slap it back on, get back in the car and go a littlebit further down the road, and figure out why that wheel came off, etc.

etc.

So this is great but it is really not going to work moving forward.

You see all the timethe cost of software defects exploding.

As a matter of fact, this is probably one ofthe major items in the nightly news.

Now it has always been a problem.

All the way backin 1962, software was destroying space crafts but back then, it was probably a yearly occurrence.

Now you can’t turn on the tv without learning about some major corporation that’s beenembarrassed or practically destroyed or lost 10 percent of their revenue or lost a bunchof their market cap or lost 500 million dollars in just a few minutes because of some defectin software.

So it’s hard to say exactly how much thisis really costing the world but there have been a couple of attempts.

Back in 2002, theNational Institute of Standards estimated that software defects were costing the U.

S.

Economy about 60 billion dollars at that time.

More recently Cambridge University, in 2011,came out with a study in 2012, saying that software defects cost the world economy somethingover 300 billion dollars.

So the scary part isn’t so much what happens now, the 300billion dollars that we’re spending on software defects now.

But it’s really what happensfive and ten years from now if this problem doesn’t get solved.

Right now, softwareis… I think we’re ending the era of flat software.

I’ve talked to customers in thelast month that have 500 million lines of software.

But mostly, it’s just sittingthere and one piece of it is executing at a time.

Now we’re entering an era wherewe’re going to have software in our cars, interacting with navigation systems, drivingour cars for us or at least assisting us, getting much much more complicated.

Much muchmore interactive.

And we just can’t afford to continue forward and end up spending trillionsof dollars in the world working on software defects.

So what can we do about this.

I think it’s time to put some real engineering power behindthis.

You saw this slide that Aart talked about this morning.

This was essentially the‘what if’ slide that launched Synopsys.

And the idea here was, what if a developercan come up with a high level design description, run it through some Secret Technology X, andcome out with a correct schematic.

Wouldn’t that be wonderful.

And that’s really theinnovation that launched the digital revolution.

I mean, there were many.

But without logicsynthesis, we would not have the computers and the mobile technology etc.

that we havetoday, that is essentially driving everything.

So in software, is it possible to do somethingsimilar.

What if there was a software developer and instead of coming up with a concept fora chip, he was writing software.

He was writing C code and I’m sure most of you have alreadydiscerned the bug in that code there… That’s a little piece of bad code.

Unfortunately,the bug in there is one that is going to be intermittent and very hard to find becauseit’s not going to act the same way every time you find it.

But it’s an easy bug toadd.

We all do it, all the time.

In all my coding, every day, I do the same thing.

Whatif you were able to come up with a Technology Y that would go in and identify, without runningand waiting for the wheel to fall off, identify exactly what’s wrong with the code.

Goingback and telling the developer.

Maybe even eventually fixing it for him and allowingyou to spit out good code right after that.

This presentation is on chapter ten in thebook, on software security and trusted systems.

The book begins by defining a buffer overflow.

A buffer overflow is a process that stores data in a buffer outside the memory the programmeraside for it.

If you guys have any experience with programming with C++, Java, or whatever,the case may be you guys are already familiar with the buffers, just this memory is beingallocated.

So a buffer overflow is where you are putting data in that buffer but it isactually outside of the memory that the programmers set aside for.

When this happens extra datawill then overwrite the adjacent memory which then can result in erratic program behavior.

A traditional way to understand this is computer security and programming, when a buffer overflowis overrun, it's an anomaly where it processes stored data and the buffer outside the storedmemory the programmer set aside for, the extra data, because it is being overwritten, theexcess data is now overwriting adjacent memory, which may contain other data including programvariables and program full control data.

Consequently as I have already explained this can resultin erratic program behavior including memory access errors, incorrect errors, or results,program termination, like a crash, or a breach of system security.

This is what we are goingto focus on, this is one way hackers get into a system, by using the buffer overflow.

Sothe very easy way to understand this is understanding that a buffer overflow is a condition in aprogram, written by a function that attempts to copy more data into the buffer then itcan hold.

So I think that is a pretty good, so hopefully I've explained what a bufferover flow is well, it is really difficult to get through this chapter without fullyunderstanding this first concept.

So I want to show you how this works in code.

So againif you guys already have a background in coding this will make a lot of sense to you guys.

So on the left hand side you see me code, this is just traditional C code, I have abuffer that is set to the size of 90 bytes, and I am going to print that buffer so theway this works if this is executed it is going to prompt the user to type something, andthen it is going to allocate a buffer to temporarily hold that user input, the user will then typein some data, the program copies user input to the buffer, and then the program will readand print the data in the buffer to the screen.

So this seems rather smooth, no issues here,if the user stays within that allocated space of 90 bytes, but what if the user enters datathat is more then 90 bytes? Well what is going to happen is the program can crash the erroror worse, and this is what buffer overflow is.

So this diagram shows you how this works,it is really important to understand where the input space is and what I am calling theoutput space is, this is where the program communicates to the user, and this is howa hacker can exploit your system.

So at the top is the input space, this is where youallocate the space for your buffer, then at the bottom in the red is your return address,this is when a function of procedures call, in the system it will say data, here.

So whena function ends, it is going to read the return address and let the program return to whereit left off, and depending upon how it operates, depending upon the program it can't show thedata results to the user.

Alright so lets say I have "hello," and I am the user andI put "hello" into the system as you guys can see, it is all good because of the factthat I have more allocated space then the space required for this string "hello.

" Nowin this particular case I put in the stream that exceeds my buffer, and as you can seeI have stuff being held red, and in this output space, the bottom, the local stack is beingoverwritten and the saved frame pointer, and most importantly the return address.

So nowwhat is going to happen when it returns, or when the return address is completed or itis off the stack, it jumps to that address and it starts executing instruction from thereturn address.

So what the attack, what he or she is doing is they have overwritten thereturn address with a pointer to the stack buffer which now contains attacker supplydata.

In an actual stack buffer overflow exploit the string is not having a's it would be shellcode, and we will talk about shell code shortly.

So the shell code that is suitable to theplatform and the desired function.

So if this program has special privileges like if theuser was a super user then the attacker can use this vulnerability to regain super userprivileges on the affected machine.

The attack can also modify internal variable values todisplace some bugs.

SO let me just walk you guys through this so this is clear.

If thea's just represent a's and it was nothing significant then it would still be a problembut your system hasn't been hacked.

Those a's are actually code and it exceeds the allocatedspace so the return address is pointing back to those instructions.

This is how this shellcode is executed by your program.

So shell code is malicious code, it spawns a shellor command prompt in a system, I'm pretty sure you guys all know what a shell code commandprompt is.

This is how hacker's interface into the system.

So it is really importantthat your security policies must prevent overflows to avoid execution of shell code for hackers.

This is the first part of software security, and in my opinion it probably should be it'sown separate course offering because this is very evolved and it is very important.

I want to just hit some of the high notes here, as we continue to get through this semester.

Though now it is important for us, now that we know what a buffer overflow is and howhackers use it to enter your system the question is, well how do we defend against those bufferoverflows? The first way is through compile-time defenses and the second was is run-time defenses.

There are several options with compile-time defense, again if you guys know what programmingis then you know what a compiler is and what compile time, and the difference between runtime or execution time.

So if you want to look at a compile-time to prevent buffer overflowsthe first thing you have to consider the programming languages.

You want to have your variabletype with strong notions.

You also want your compilers enforce range checks automaticallyon all of your variables.

Now of course with this cost there are draw backs to this method.

It results in longer compile times, requires more resources, it also results in longerrun times, your code is further abstracted while doing this.

So again it is an effectivetechnique.

To ward of from having you software exploited, but at the same time the exploitswould be longer compile times then the run times.

The other option is to practice safecoding techniques.

Now this is easier said then done of course but there are a lot of,today most organizations have software development and software engineering practices, and ina lot of cases, I know that when I was in the industry, not all the jobs I had, at leastsome of the programming jobs I had we would program in dyads, so there would be two people.

Usually one person is coding the specs, so this dyad team is given a project and theyare supposed to code up something, and the specks define how the code operates.

One personis going to handle that while the other person is writing air checks and air codes to makesure that the code operates as it should.

Then what we would do after that, once everythingit was good to go we had to submit it to our project manager, and he would run his ownset of tests, his own battery tests to make sure things look good.

He would actually reviewthe code as well, we had documentation procedures.

So it was a very involved process, much differentthen your old school programmer who just sits at a computer in his house and just codesaway.

Now a days most organizations rely on some type of team work when it comes to coding.

But then again still easier said then done because you sacrifice a lot of time in doingthis.

Another technique is using operating systems that are very safe, the one I mentionedhere is the UNIX-like OS, it is considered to be the safest operating system availableonly one remote hole discovered in eight years, 2006, that is pretty safe.

Another policyis, you don't want code for success, you want to always code for ways that things go wrong.

Again this isn't a class where to teach you how to code or how to code properly, hopefullyif you guys are programmers or have programming experience you guys already know some techniques,so I don't want to spend too much time on it now.

I do have some background in the software,one of my first jobs as a programmer and this is way back in the late 90's I was given anassignment to add some code to some of these projects, and this was C code, and every Cfile already had the error messages and the error handling already completed.

So theyalready took care of that first.

Now of course I don't know if that technique makes me practiceas much as it probably should, if you guys are leaders of your own organization I woulddefinitely try to encourage that, because that really helps steer the project in theright way and helps to avoid bugs.

Another technique is graceful failures you alwaysdo something sensible when the unexpected occurs, and never assume the user will dothe right or the expected thing.

I thin if you guys have any background in coding youguys definitely understand that last thing.

The user will always find a way to essentiallyscrew up your code.

So it is always best to make sure that you expect that and you developyou code.

Compile-Time Defenses use language extensions and use of safe libraries.

In doingthis you can actually have range checks to determine the size of the buffer, howeverthe drawback with this is it can not be done for dynamic buffers.

So you can also use librarieswith safer versions.

If you have legacy systems this is going to be a little more difficultand maybe in some cases impossible or at least feasible.

Because old libraries can be problematic,you don't really is depended upon in order for it to function properly so you have tobe very careful with that.

You can always make new libraries but then you are goingto have to rewrite your source code, or scan it, that's very time consuming and you don'treally need all the unintended consequences.

Another solution is to create patches usingdynamic libraries and this is what you see a lot nowadays it doesn't require recompile.

Now we go to run-time defenses.

Most of the compile-time defenses require, other thenthe last one we talked about you to recompile your code.

Now run-time defenses are deployableas an OS update, so any time you guys have to update Windows or Linux, and I am not thatfamiliar with MAC's but I am pretty sure they have the update for that.

Anytime you updatethe OS you are using run-time defenses.

There are several options with this.

So one wayis called executable address space protection, this is where you block the processing theexecutable code on the stack.

So you are going to block the j.

I.

T.

compilers, the C nestedfunctions, Linux signal handlers which would all require special provisions of that nature.

Another run-time defense is address space randomization this is where your address spaceis randomized, so your buffer, your return space is randomized, and because you are doingit, it forces the attacker to guess the location of the buffer in memory, which is really difficultto do.

The next this is guard pages, so this is putting in unwriteable memory between elementsof the stack frame.

So this completes the presentation for chapter ten, again thesetechniques are all available and again in a different course offering you we go intomore detail about what that looks like.

The purpose of this is to just understand whatoptions you guys have to defend against buffer overflows.

They develop businessintelligence applications for customers around the world.

This is Bob.

He's the Director of ProductManagement for Success Corp.

Bob's job is to maximize softwarerevenue while minimizing piracy.

In other words make sure those peoplewho actually paid for the software are the ones using it.

Software overuse and piracy is a majorissue for Bob and the software industry.

In 2011, more than sixty three billiondollars in revenue was pirated.

Bob knows that in order to stayprofitable and competitive he needs a way to protect his company'sapplications from unauthorized use while meeting thedemands of his diverse customers.

He decided to adapt his company'sproducts to meet the pricing and packaging needs of his customers by creating one single version of eachapplication and then use licensing to turn specificfeatures on and off.

This allowed him to create severaldistinct packages that he was able to customize anddistribute to each of his customers.

This was great because it gave thecustomers exactly what they wanted and Bob wasbetter able to manage the costs of developing the software.

But Bob wasn't satisfied he knew he hadto keep pace with technology and SaaS was the fastest growing segmentof the software industry so he decided to create a SaaS offeringand put it in the Amazon store.

Since the software had the rightlicensing in place he knew his software was protected and monetizedappropriately.

Licensing was the missing piece Bob waslooking for.

You remembered back to a time when hetried a software audit only approach, sending in teams tohis enterprise customers to check for non-compliance.

This always felt too invasive not tomention it was expensive and difficult to do now with the right licensing andcompliance technology in place Bob was back in the driver's seat andcould set specific policies for his customer base.

For customers in markets where piracy isan issue he used strict enforcement licensing to protect his software against abuse.

For his large enterprise customers whoneed more flexibility with their licensing he set up a five percent overage modelthat provided uninterrupted use of his software in the event of small fluctuations inlicensing needs.

Bob loved this newfound flexibility and set his mind to creating even more solutions for his customers.

Some of Bob's customers wanted theflexibility to add licenses as needed but also wanted predictable pricing soBob created a hybrid pricing model that combined a normal site license with a perpetual license enabling hiscustomers to add users at any time by paying an incremental quarterly fee.

Finally, for Bob's most trusted global enterprisecustomers he developed a usage-based licensing model that enabled them to use his applicationsfreely while monitoring usage behind-the-scenes.

This trust but verify approach provideda single reconciled source of usage and entitlements to their customers making it easy to track and bill foroverages.

Bob's customers loved his dynamic new approach to softwarelicensing and he was able to boost Success Corp'srecurring revenue by forty percent.

Yep, Bob was a hero around the office andhis boss promoted him to vice president.

Atta boy Bob.

Learn how Flexera Software's ComplianceManagement Solution gives you the control and flexibilityyou need to boost your revenue and customer satisfaction and be a hero like Bob.

How To Tips Tutorials Present Best security apps for Android 360 security is in number one position,It is free also 360 security is a suite of antivirus andoptimization tools 360 total security essential quicklyinstalled and has a relatively light program that will not clog the system 360 security scans your Android devicefor viruses malware and system vulnerabilities main features of 360 Boost clean and antivirus everything doing in one Tap solution it can also boost the performance ofyour device by free up memory and cleaning up caches other features App Lock protect your privacy lock apps againstsnoopers find my phone app manager call and sms filter Data monitor use it and you will find the differencefrom other security App my next recommendation as a vast mobilesecurity it has 55 plus million users available on mobile and twenty-pluslanguages scans & secures against infected filesunwanted privacy phishing malware and malicious viruses such as trojans andeven against loss or theft the main features of avast as virusscanner anti-theft mobile backup app locking phone tracker option is there you canuse the cell phone locator features to find it control it remotely and muchmore my next recommendation is Aviraanti virus security main features and anti virus protect your device from threats virusesand other types of malware it helps to find your device when yourdevice goes missing it can track the location erase all private data fromyour device and you can lock the device also there is a block option to protect yourapps from being accessed by unauthorized user of your device no need otherapplication to install my next recommendation as Eset mobilesecurity and antivirus as most important option like Antivirus anti-theft SMS and call filter my final recommendation is AVGanti-virus pro it has many nice option like protection,performance, anti-theft and privacy in performance option there aretask killer, battery consumption mode one of the best anti-theft and phone location locate your lost or stolen phone usingGoogle map more options like app lock, app backup, call and message blocker I have recommended you best security app forAndroid you can use any one of five apps don't forget to subscribe to my YouTubechannel.

many peoples who use android phone ,installs a particular type of app in their phone these apps are capable of locking every other app with a password users install these kind of apps in their phone to prevent their private photos, messages, and videos etc.

form the eyes of spooky relatives, friends or neighbours but this kind of apps do their work only untill they are not uninstalled from your mobile somehow to prevent the uninstallation these apps have some advance features also for instance locking the Settings,locking the Package Manager which handles install, uninstall and upgrade of any app putting the app in Device Administrators ListProvide Usage Access to the app after turning these security features on, many peoples think that they are totally secuer now and nobody can access their private messages and media without entring password or pattern if this is also what you think then this video is for you to bypass or exploit the security of such apps, first you have to boot or start your phone in Android Safe Mode to boot your mobile in Safe Mode you have to press your phone's Power Key until Power Off dialogue appears on your screen then select and hold Power Off option until another dialogue box appears Reboot to safe mode when you confirm this by selecting OK then your phone will restart after restarting you will notice that there is no lock in settings open Settingsgo to Appsand Uninstall that locking app after uninstalling, restart your phone after restarting you will notice that all the apps which were locked have no lock now because we have uninstalled that app which was locking other apps.

We all know how important backups are, andit shouldn’t take a disaster to make anyone understand that.

It is important to take backups of your GFIMailEssentials product configurations as, in the event of data loss, GFI cannot recoveryour configuration.

To do this run meconfigmgr.

Exe from the GFIMailEssentials installation directory.

Then click Export and select a directory to saveyour configuration to.

If you are using GFI MailEssentials 2012 SR3build 20121218 or later, then your whitelist, blacklist and reports settings will also beexported.

But are there folders that should be excludedfrom the antivirus and backup software? Yes there are and we are going to show themto you.

If GFI MailEssentails is installed with (x86)Exchange 2003, then you need to add the following exclusions: If it is installed with (x64) Exchange 2007: If it is installed with (x64)Exchange 2010: If you have installed it with (x64) Exchange2013: And finally, if you have installed GFI MailEssentialswith IIS Relay (Windows Server 2003, 2008, or 2012) exclude these folders:.